Access Denied When Connecting to Samba; Secruity = ADS

Rhodderz · 03-28-2014, 11:56 AM

So after having fun getting Samba-debian to join a Windows 2012R2 domain i have almost all functionality. One problem im now having is if i try to connect to my nas via:

Address Used Response
\\192.168.0.253 The Username or Password is incorrect
\\RMMD-NAS-1 Access Denied

OR by doing
smbclient -L /RMMD-NAS-1 -k
i get
ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/RMMD-NAS-1@RMMD.INT (Matching credential not found)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Matching credential not found
session setup failed: NT_STATUS_UNSUCCESSFUL

smb.conf

Code:

[global]
        server string = Rhodderz NAS
        workgroup = RMMD
        netbios name = RMMD-NAS-1
        realm = RMMD.INT
        syslog = 3
        dns proxy = no
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        security = ADS
        password server = RMMD-SVR-1.RMMD.INT
        encrypt passwords = yes
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind separator = +
        ;winbind normalize names = yes
        winbind refresh tickets = yes
        idmap uid = 50-9999999999
        idmap gid = 50-9999999999
        template shell = /bin/bash
        ntlm auth = yes
        client ntlmv2 auth = yes
        client lanman auth = no
        log file = /var/log/samba/%m.log

;[homes]
;       browseable = no
;       comment = Home Directories
;       writable = yes
;       create mode = 0700
;       directory mode = 0700

[share]
        ;available = yes
        comment = Main Root of Share
        path = /disk/share
        create mask = 777
        nt acl support = yes
        inherit permissions = no
        force group = "RMMD.INT+domain users"
        directory mask = 755
        writable = yes
        valid users = %S

and testparm -s gives

Code:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Processing section "[share]"
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
[global]
        workgroup = RMMD
        realm = RMMD.INT
        server string = Rhodderz NAS
        security = ADS
        password server = RMMD-SVR-1.RMMD.INT
        syslog = 3
        log file = /var/log/samba/%m.log
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = No
        template shell = /bin/bash
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        idmap config * : range = 50-9999999999
        idmap config * : backend = tdb

[share]
        comment = Main Root of Share
        path = /disk/share
        valid users = %S
        force group = "RMMD.INT+domain users"
        read only = No
        create mask = 0777

and nsswitch.conf

Code:

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       compat ldap

Any help is appreciated, cheers

Ser Olmy · 03-28-2014, 12:34 PM

Besides the issues pointed out by testparm, there's nothing obviously wrong with your smb.conf. Well, mapping UIDs and GIDs as low as 50 is bound to cause conflicts with existing Linux users and groups, but that's (probably) not what's causing the authentication errors.

(You should drop the "password server" option though, and consider a different winbind separator.)

Can you successfully obtain a Kerberos ticket with kinit AD_user@RMMD.INT? You will be prompted for a password, and a successful authentication attempt will result in no output. klist should then show a ticket.

Does wbinfo -u and wbinfo -g show users and groups from Active Directory?

Does getent passwd and getent group list both local users/groups and users/groups from Active Directory?

Rhodderz · 03-28-2014, 12:38 PM

Quote:

Originally Posted by Ser Olmy

Besides the issues pointed out by testparm, there's nothing obviously wrong with your smb.conf. Well, mapping UIDs and GIDs as low as 50 is bound to cause conflicts with existing Linux users and groups, but that's (probably) not what's causing the authentication errors.

(You should drop the "password server" option though, and consider a different winbind separator.)

Can you successfully obtain a Kerberos ticket with kinit AD_user@RMMD.INT? You will be prompted for a password, and a successful authentication attempt will result in no output. klist should then show a ticket.

Does wbinfo -u and wbinfo -g show users and groups from Active Directory?

Does getent passwd and getent group list both local users/groups and users/groups from Active Directory?

i can get a ticket via kinit for both administrator and my main account.
Both wbinfo -u and -g give appropriate repsonses
wbinfo -u

Code:

RMMD-NAS-1+root
administrator
guest
krbtgt
rhodderz
assassinsadmin
musicplayer
linuxadmin

(Assassins admin is for a society at the uni i am at)

wbinfo -g

Code:

domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
cloneable domain controllers
protected users
dnsadmins
dnsupdateproxy
helplibraryupdaters
sqlserver2005sqlbrowseruser$rmmd-svr-1
assassins administration group
linux sudoers
nasmembers

and i know about the small errors that where shown in teatparm and the low ID's, was playing around as i ran out of ideas.

Ser Olmy · 03-28-2014, 12:40 PM

And how about getent, which uses the winbind NSS library?

Rhodderz · 03-28-2014, 12:43 PM

Quote:

Originally Posted by Ser Olmy

And how about getent, which uses the winbind NSS library?

Sorry forgot that bit.
I get this back when i issue those

Code:

root@RMMD-NAS-1:~# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
rhoddderz:x:1000:1000:Rhodri Mark Metcalfe-Davies,,,:/home/rhoddderz:/bin/bash
messagebus:x:104:106::/var/run/dbus:/bin/false
openldap:x:105:109:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
znc:x:1001:1001::/home/znc:/bin/sh
root@RMMD-NAS-1:~# getent group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:rhoddderz
floppy:x:25:rhoddderz
tape:x:26:
sudo:x:27:
audio:x:29:rhoddderz
dip:x:30:rhoddderz
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:rhoddderz
sasl:x:45:
plugdev:x:46:rhoddderz
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
crontab:x:102:
Debian-exim:x:103:
mlocate:x:104:
ssh:x:105:
rhoddderz:x:1000:
messagebus:x:106:
utempter:x:107:
sambashare:x:108:
openldap:x:109:
winbindd_priv:x:110:
znc:x:1001:
nasmembers:x:1002:

one thing i notice straight away is it has successfully gotten nasmembers from the domain as well (this was the group i was going to use to define what users have access to the shares)

Ser Olmy · 03-28-2014, 12:49 PM

getent doesn't list a single user or group from AD. "nasmembers" must be a local group.

Can you see the computer account object for RMMD-NAS-1 in AD? I suspect the trust relationship may have been broken, which would explain the error message:

Code:

ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/RMMD-NAS-1@RMMD.INT
(Matching credential not found)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Matching credential not found

You should consider resetting or deleting the account object and run net ads join again.

Edit: And if you do, consider deleting the idmap database and changing the idmap parameters so that they don't totally obliterate all your local accounts and groups.

Rhodderz · 03-28-2014, 12:55 PM

Quote:

Originally Posted by Ser Olmy

getent doesn't list a single user or group from AD. "nasmembers" must be a local group.

Can you see the computer account object for RMMD-NAS-1 in AD? I suspect the trust relationship may have been broken, which would explain the error message:

Code:

ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/RMMD-NAS-1@RMMD.INT
(Matching credential not found)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Matching credential not found

You should consider resetting or deleting the account object and run net ads join again.

NasMembers has only been created on the controller. RMMD-NAS-1 is in the AD. removing it and rejoining with "net ads join -U administrator" joins successfully with the response of

Code:

Using short domain name -- RMMD
Joined 'RMMD-NAS-1' to dns domain 'rmmd.int'

but still can not access the shares and "smbclient -L /RMMD-NAS-1 -k" still gives the same error. it did before give Logon_Denied but cant get it back to that state.

Ser Olmy · 03-28-2014, 01:03 PM

The Kerberos error clearly says that a credential could not be found. Does the SPN even exist? I don't have a Windows server handy right now, but I believe setspn -L RMMD-NAS-1 should list SPNs associated with that computer account.

Rhodderz · 03-28-2014, 01:12 PM

Quote:

Originally Posted by Ser Olmy

The Kerberos error clearly says that a credential could not be found. Does the SPN even exist? I don't have a Windows server handy right now, but I believe setspn -L RMMD-NAS-1 should list SPNs associated with that computer account.

setspn -L RMMD-NAS-1 gives

Code:

Registered ServicePrincipalNames for CN=rmmd-nas-1,CN=Computers,DC=rmmd,DC=int:
            HOST/rmmd-nas-1.rmmd.int
            HOST/RMMD-NAS-1

so it seems to be there.

Ser Olmy · 03-28-2014, 01:25 PM

OK. Actually, wbinfo should have failed if the account trust relationship wasn't working.

That leaves the issue of the non-functinal getent. The accounts and groups listed are definitely all local, including "nasusers". Domain accounts should appear in the format "DOMAIN[winbind_separator]account".

In almost all cases where getent fails to enumerate AD accounts even though wbinfo works, the idmap configuration is to blame (like in this case, which is just one of many that turn up if you do a Google search). Try changing the idmap settings to the proper syntax and delete the existing database.

Rhodderz · 03-28-2014, 01:59 PM

Quote:

Originally Posted by Ser Olmy

OK. Actually, wbinfo should have failed if the account trust relationship wasn't working.

That leaves the issue of the non-functinal getent. The accounts and groups listed are definitely all local, including "nasusers". Domain accounts should appear in the format "DOMAIN[winbind_separator]account".

In almost all cases where getent fails to enumerate AD accounts even though wbinfo works, the idmap configuration is to blame (like in this case, which is just one of many that turn up if you do a Google search). Try changing the idmap settings to the proper syntax and delete the existing database.

Hi again,m sorry for being a pain, still slightly new to this sort of error (didnt have a problem when samba was the domain controller) i have changed my global to this:

Code:

[global]
        server string = Rhodderz NAS
        workgroup = RMMD
        netbios name = RMMD-NAS-1
        realm = RMMD.INT
        syslog = 3
        dns proxy = no
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        security = ADS
        encrypt passwords = yes
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind separator = +
        idmap config * : backend = tdb
        idmap config * : range = 100001-200000
        idmap config RMMD.INT : backend = ad
        idmap config RMMD.INT : range = 100001-200000
        idmap config RMMD.INT : base_rid = 0
        template shell = /bin/bash
        ntlm auth = no
        client ntlmv2 auth = yes
        lanman auth = no
        log file = /var/log/samba/%m.log

restarted, blanked the cache/db and rejoined the domain but i still get the error. I know the error is staring me in the face but with my lack of experiance im not sure what it is. Getent still doesnt have any of the domain users or gourps either

Edit:
I rebooted after deleting the cache and let samba start naturally
Now smbclient -L /RMMD-NAS-1 -k gives me
"session setup failed: NT_STATUS_ACCESS_DENIED"

Ser Olmy · 03-28-2014, 02:07 PM

I see you've changed the idmap backend to "ad". That requires RFC 2307 extensions in the AD schema, and I don't think they exist by default. (Other than that, RFC 2307 provides a great way to store Unix-related information in directory services.)

Unless you actually have the RFC 2307 extensions in your AD schema, you should use the tdb or rid backends (the latter doesn't require a database at all).

Rhodderz · 03-28-2014, 02:10 PM

Quote:

Originally Posted by Ser Olmy

I see you've changed the idmap backend to "ad". That requires RFC 2307 extensions in the AD schema, and I don't think they exist by default. (Other than that, RFC 2307 provides a great way to store Unix-related information in directory services.)

Unless you actually have the RFC 2307 extensions in your AD schema, you should use the tdb or rid backends (the latter doesn't require a database at all).

Ah i did not knwo that, sorry my bad. I have changed it to tdb (and tried rid) but now i still get NT_STATUS_ACCESS_DENIED

Ser Olmy · 03-28-2014, 02:11 PM

Does getent finally enumerate users and groups?

Rhodderz · 03-28-2014, 02:21 PM

Quote:

Originally Posted by Ser Olmy

Does getent finally enumerate users and groups?

unfortunatley it hasnt :/ and as soon as i rebooted it went back to the error which is a tad frustrating as i didnt change anything. tried rejoining the domain with the same downside. also if i do wbinfo -u or -g i get the appropriate response but when i do -i rhodderz i get
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user rhodderz

If i change backend to ad and add the schemea_mode to rfc2307 (which apparenlty (dont take my word as i keep seeing this pop up on random forums) 2012+ uses this by default) i can then do wbinfo -i rhodderz and i get
rhodderz:*:101104:101121:Rhodri Metcalfe-Davies:/home/RMMD/rhodderz:/bin/bash
Thanks for helpin this far by the way.

EDIT:
i removed ads and put the backend back to tdb and i still get the infor as above when i do wbinfo -i rhodderz
and when i did smbclient -L /RMMD-NAS-1 -k i got
NT_STATUS_LOGON_FAILURE
this is after i kinit my admin account.